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Abstract 

Telecare Medical Information Systems (TMIS) provide an effective way to enhance the medical process between doctors, 
nurses and patients. For enhancing the security and privacy of TMIS, it is important while challenging to enhance the TMIS 
so that a patient and a doctor can perform mutual authentication and session key establishment using a third-party medical 
server while the privacy of the patient can be ensured. In this paper, we propose an anonymous three-party password- 
authenticated key exchange (3PAKE) protocol for TMIS. The protocol is based on the efficient elliptic curve cryptosystem. 
For security, we apply the pi calculus based formal verification tool ProVerif to show that our 3PAKE protocol for TMIS can 
provide anonymity for patient and doctor while at the same time achieves mutual authentication and session key security. 
The proposed scheme is secure and efficient, and can be used in TMIS. 
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Introduction 

In the traditional medical diagnosis process, a patient goes to a 
hospital or clinic, and then consults a doctor. With the 
advancement of computer and network technologies, many 
countries and regions are establishing telecare medical information 
systems (TMIS), for making the medical diagnosis process more 
efficient, reliable and effective. With TMIS, patients can save time 
and have access to doctors and specialists more easily. Further- 
more, patient records can also be exchanged between various 
hospitals and clinics. The system is also providing enhanced 
efficiency and effectiveness, especially on doing some basic 
diagnoses at patients' home [1]. Furthermore, TMIS is also useful 
for cases where chronic patients are involved. For example, 
through TMIS, a hypertension patient or a diabetes mellitus 
patient could exchange his/her daily medical data collected by the 
patient at home and the medical advice from doctors or nurses 
directly without requiring the patient to pay a visit to a hospital or 
a clinic. For emergency patients, such those with angina pectoris, 
hyperpyretic convulsion and asthma attacks, the TMIS can help 
exchange the medical records of a patient in concern, for example, 
between the database of a family doctor and the ICU of a hospital. 

In TMIS, patients, doctors and nurses can register onto a 
trusted medical server (TS) and use passwords to perform 
authentication or secure channel establishment with the TS. Once 
a patient needs to consult a doctor, the patient can contact a 
doctor, and communicate with the doctor through a secure 
communication channel. For achieving these objectives, anony- 



mous three-party password-authenticated key exchange (3PAKE) 
protocols for TMSI should be addressed. The 3PAKE protocol is 
to achieve mutual authentication between a patient and a doctor 
with the aid of the TS, and at the same time, ensure that an 
adversary does not know the exact identities of both the doctor 
and the patient. Furthermore, 3PAKE helps establish a secure 
channel via generating joindy a session key, which is then used for 
building a secure channel between the patient and the doctor. 

In 2007, Lu and Cao [2] proposed an efficient 3PAKE scheme. 
However, Guo et al. [3], Chung and Ku [4], Phan et al. [5] and 
Nam et al. [6] later showed that Lu and Cao's scheme is 
vulnerable to undetectable on-line dictionary attack, off-line 
password guessing attack, and man-in-the-middle attack, respec- 
tively. In 2009, Huang [7] proposed another 3PAKE scheme, 
which was later shown by Yoon and Yoo [8] that it cannot defend 
against undetectable password guessing attack and off-line 
password guessing attack. In 2011, Lou and Huang [9] proposed 
a new 3PAKE scheme. The scheme is based on Elliptic Curve 
Cryptosystem (ECC) and is efficient. However, Xie et al. [10] 
recently showed that Lou and Huang's scheme is vulnerable to off- 
line password guessing attack and partition attack. Xie et al. also 
proposed an improved scheme for solving these problems. In 
2012, Yang and Cao [11] and Chen et al. [12] also proposed 
modular exponentiation based and ECC-based 3PAKE schemes, 
respectively. However, these schemes, when compared with other 
existing schemes, require heavier computation costs. In 2010, 
Wang and Zhao [13] proposed a three-party key agreement 
protocol based on chaotic maps. Later, Yoon and Jeon [14] 
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showed that their scheme is vulnerable to illegal message 
modification attack, and then proposed an improved one. 
Unfortunately, both schemes require a reliable third party, which 
shares a different long-term cryptographic key with each 
participant, it is inconvenient that each participant should protect 
the long-term secret key. Furthermore, these schemes are not as 
efficient as previous 3PAKE schemes. In 2013, Xie et al. [15] 
proposed the first chaotic maps-based 3PAKE scheme without 
using timestamp. 

In light of all the schemes mentioned above, we notice that none 
of them can support privacy protection, since anyone can obtain 
user's identity from the authentication process. As we know, user's 
privacy protection is very important in some applications, such as 
telecare medical information systems (TMIS). In 2012, Lai et al. 
[16] proposed a smart-card-based anonymous 3PAKE using 
extended chaotic maps. However, Zhao et al. [1 7] showed that the 
scheme is vulnerable to the privileged insider attack and the off- 
line password guessing attack, and proposed an improved one. In 
2013, Lee et al. [18] proposed another anonymous 3PAKE 
scheme using Chebyshev chaotic maps, but their scheme is 
suffering from the man-in-the-middle attack once after an attacker 
gets the identity of each participant, which in practice is easy to 
obtain. 

Based on the advantages of elliptic curve cryptosystem (ECC), 
that is, having shorter secret keys and faster computational speed, 
it is desirable if an ECC-based anonymous 3PAKE scheme can be 
built for TMIS. To the best of our knowledge, however, there is no 
ECC-based anonymous 3PAKE scheme is proposed. In this paper, 
we propose the first ECC-based anonymous 3PAKE scheme, and 
show that it is efficient. 

The rest of the paper is organized as follows. In Section 2, we 
propose an anonymous 3PAKE scheme. The security analysis of 
the scheme is given in Section 3. After that, other security 
discussions and the performance comparison are described in 
Sections 4. The paper is concluded in Section 5. 

The Proposed Scheme 

In this section, we propose an anonymous 3PAKE scheme. 
Some notations will be used in this paper are defined as follows. 
E: an elliptic curve defined over a finite field with large order n. 
P: a generator on E with large order n. 

h(): a secure one-way hash function which maps to an integer. 

A: user A, may be a patient. 

B: user B, may be a doctor or nurse. 

TS: trusted medical sever. 

pw A : usen4's password, shared with TS. 

pw B : useriJ's password, shared with TS. 

ID A> ID B , ID TS : identities of A, B and TS, respectively. 

(d,F = dP): TS's private-public key pair. 

(£/t0)Afc0) : secure symmetric encryption/decryption functions 
with key k. 

The proposed anonymous 3PAKE scheme is described as 
follows. Algorithm 1 illustrates the proposed scheme. 
Step 1: User A randomly chooses?,,, and computes 

Q A = t a P, F A = t a F = t a dP = dQ A , V A = h(pw A ,ID A ,ID B ), 
Z a =E KFa) (ID a ,ID b ,V a ). 

Then sends {Q A ,Z A } to TS. 

Step 2: Upon receiving {Q A ,Z A }, the trusted server TS 
computes F A =dQ A , and decrypts Z A to obtain {ID A JD B , V A }, 
computes V A = h(p\v A ,ID A ,W B ) and verifies if V A = V A . If not, 



terminates. Otherwise, user A is authenticated. Thus, TS knows 
that user A wants to establish a shared session key and 
communicate with a user B. TS randomly chooses an integer 
Tts, computes ZTs = TTs®h(p\v B JDTs,ID B ), and sends 
{W T s,Z TS } to B. 

Step 3: Upon receiving {ID F s,Zts}, user B computes 
Tts = ZTs®h(pw B ,IDTs,ID B ) and randomly chooses t/,, com- 
putes 

Q B = t h P,F B 

= t b F, V B = h(p WB JD TS ,ID B , T TS ),Z B = E h(FB) (ID B , V b ). 
Then sends {Qb,Z b } to TS. 



TS 



B 



Q A = t a P 
F A = t a F 

V A =h(pw A JD A JD B ) 
Z A = Eh(F A ) (ID A ,ID B , V A ) 



{Qa>Za} 
> 

F A =dQ A 

D,, (Fa , ) (Z a ) = {ID a ,ID b ,V a } 

V A = h(pw A ,ID A JD B ) 

Zts = T T s®h(pw B ,ID T s,W B ) 



{w TS ,z TS } 
> 



Tts = Z T s®h(pw B ,ID TS ,ID B ) 
Q B = t h P 
F B = t h F 

V B = h(pw B ,ID T sJT> B ,T T s) 
Z b = E KFb) {ID b ,V b ) 

{Qb-Zb} 



F b =dQ B 

D KFbI) (Zb) = {IDb,Vb} 

7 

V B = h{pw B JD T sJD B ,T T s) 
Rb=E KPb , ) (Q a ,ID b ,ID a ,Fb') 
R A =E KFa , ) {Qb,ID a ,ID b ,F a i ) 



{R B \ 



D K f a) {Ra) = {Q B JD A ,ID Bl F Al } D MFb) (R b ) = {Q a ,ID b ,ID a ,F b '} 

F A = F A F B = F B 

sk = h(t a Q Bl ID Bl ID A ) sk = h(t,,Q A JD B JD A ) 

Session key: sk = h(t a ti,P,ID B ,ID A ) 
Algorithm 1 The proposed anonymous 3PAKE scheme 
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Step 4: Upon receiving {Qb,Zb}, TS computes Fg = <IQb, 
and decrypts Zb to obtain {IDb,Vb\. Then TS computes 
V B =1i(pwb,IDtsJDb,Tts) an d verifies if the decrypted I^is 
correct or not by Vb = Vb. If not, terminates. Otherwise, user B is 
authenticated. 

TS computes and sends Rb= E^ Fb '^(Qa,IDbJDa,Fb') to B, 
computes and sends Ra = Ei j ( Fa ^(Qb,IDa,IDb,Fa') to A. 

Step 5: Upon receiving Ra or Rg from TS, A decrypts Ra and 
gets {Qb,IDa,IDb,Fa} . Then A checks the validity of Fa', and 
computes sk = h(t a QB,IDB,IDA) = h(t a tbP,IDB,IDA) as the ses- 
sion key. At the same time, B decrypts Rg, and gets 
{Qa,IDb,IDa,F b '}. After checking the validity of F B ', B 
computes sk = h(tbQAJT>B,IT>A) = h{tht a P,IDB,IT)A) as the ses- 
sion key shared with A. 

Security Analysis 

In this section, we use applied pi calculus [19] based formal 
verification tool ProVerif [20] to show that the proposed scheme 
satisfies anonymity, authentication and security. ProVerif is an 
automatic cryptographic protocol verifier in the formal model and 
supports automatic and effective security analysis of many 
cryptographic primitives such as symmetric and asymmetric 
encryption, digital signature, hash function, Diffie-Hellman key 
agreements, etc [21]. 

3.1 Authentication and security 

We model the protocol steps according to the message 
sequences shown in section 2. In particular, public channel chl 
is used for the communication between user A and the trusted 
medical server TS, and public channel ch2 is used for the 
communication between user B and TS. 

(* channel - *) 

chl: communication channel between A and TS 
ch2: communication channel between B and TS 
free chl: channel, 
free ch2: channel. 

We then define two variables SKA and SKB, which are the 
session keys calculated by A and B, respectively. 

(* shared keys *) 

free SKA: bitstring [private], 
free SKB: bitstring [private]. 

The constants IDA, IDB and IDTS denote the identities of A, 
B, and TS, and PWA and PWB denote the passwords of A and B 
shared with TS, respectively. Let d be TS's secret key, and the 
constant P is the base point of group E. 

(* constants and variables *) 

free SKA: bitstring [private]. 

free SKB: bitstring [private]. 

const IDA: bitstring. 

const IDB: bitstring. 

const IDTS: bitstring. 

const PWA: bitstring [private]. 

const PWB: bitstring [private]. 

const P: bitstring. 

free d: bitstring [private]. 

The ProVerif code for non-logical constants and the corre- 
sponding equational theory is giving below: 

(* constructor *) 

fun h(bitstring): bitstring. / /*hash function 

fun senc(bitstring, bitstring): bitstring. //*symmetric encryption 

fun xor(bitstring, bitstring): bitstring. 



fun mult(bitstring, bitstring): bitstring. 

(* destructors & equations *) 

reduc forall x: bitstring, y: bitstring; sdec(senc(x, y), y) = x. 
equation forall x: bitstring, y: bitstring; xor(xor(x, y), y) = x. 
The core message sequences for the proposed scheme are given 
below. QA, ZA, ZTS, QB, ZB, RA and RB in these messages are 
computed by corresponding senders before they are transmitted. 

(* messages *) 

Message 1:A-^TS: {OA, ZA} 

Message 2:TS^B: {IDTS, ZTS} 
Message 3:B^TS: {QB, ZB} 

Message 4:TS^A,B: {RA},{RB} 
The proposed protocol consists of the parallel execution of three 
processes: the user A, UserA, the trusted server TrustSever and 
another user B, UserB. The processes are the core of protocol 
model, which define the behavior of each participant in applied pi 
calculus. The process UserA defines the behavior of user A, who 
computes QA, FA, VA and ZA, and sends message (QA, ZA) 
through a public channel. After that, user A receives message RA 
and computes SKA. The process of UserA is modeled as below: 

(* - UserA's process *) 

let UserA = 

new ta: bitstring; 
event UserStarted(IDA); 
let QA = mult(ta,P) in 
let FA = mult(d,QA) in 
let VA = h(((PWA,IDA,IDB))) in 
let ZA = senc((((iDA,IDB,VA))),h(FA)) in 
out(chl,(QA,ZA)); 
in (chl,RA': bitstring); 
let (QB':bitstring,IDA":bitstring,IDB":bitstring,FA":bitstring) = 
sdec(RA',h(FA)) in 
if FA" = FA then 

let SKA = h(((mult(ta,QB'),IDB,IDA))) in 
0. 

The process TrustSever defines the behavior of TS during 
authentication, it computes FA' and ZTS, and sends message 
(IDTS, ZTS) to UserB through a public channel2 when it receives 
message (QA, ZA) through a public channel 1. After that, 
TrustSever receives message (QB, ZB), computes RA and RB, 
and sends RA and RB to UserA and UserB through public 
channel 1 and channel2, respectively. The process of TrustSever is 
modeled as follows. 

(* TrustSever's process *) 

let TrustSever = 

in(chl, (QA':bitstring, ZA':bitstring)); 
let FA' = mult(d,QA) in 

let (IDA': bitstring,IDB': bitstring, VA': bitstring) = sdec(ZA', 
th(FA')) in 

let VA" = h(((PWA,IDA',IDB'))) in 
if VA' = VA" then 
new TTS: bitstring; 

let ZTS = xor(TTS,h(((PWB,IDTS,IDB)))) in 
out (ch2,(IDTS,ZTS)); 
in (ch2,(QB': bitstring,ZB': bitstring)); 
let FB' = mult(d,QB') in 

let (IDB": bitstring, VB': bitstring) = sdec(ZB',h(FB')) in 
let VB" = h((((PWB,IDTS,IDB,TTS)))) in 
if VB' = VB" then 

let RB = senc(((((QA',IDB,IDA,FB')))),h(FB')) in 
let RA = senc(((((QB',IDA,IDB,FA')))),h(FA')) in 
out(chl,RA); 
out(ch2,RB). 
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The process UserB defines the behavior of user B during 
authentication, who computes TTS', QB, FB, VB and ZB, and 
sends message (QB, ZB) back to TS through a public channe2. 
After that, user B receives message RB and compute SKB. The 
process of UserB is modeled as follows: 

(* UserB's process *) 

let UserB = 

in(ch2, (IDTS': bitstring, ZTS': bitstring)); 

let TTS' = xor(ZTS',h(((PWB,IDTS',IDB)))) in 

new tb: bitstring; 

let QB = mult(tb,P) in 

let FB = mult(d,QB) in 

let VB = h((((PWB,IDTS',IDB,TTS')))) in 

let ZB = senc(((IDB,VB)),h(FB)) in 

out(ch2,(QB,ZB)); 

in (ch2,RB': bitstring); 
let (QA':bitstring,IDB":bitstring,IDA":bitstring,FB":bitstring) = 
sdec(RB',h(FB)) in 

if FB" = FB then 

event UserAuthed(IDA"); 

let SKB = h(((mult(tb,QA'),IDB,IDA))) in 

0. 

The protocol is modeled as the parallel execution of the above 
three processes: 

process !UserA | ITrustSever | !UserB 
The session key security is formalized by the following two 
queries for checking by Proverif: 

(* — query *) 

query attacker(SKA). 
query attacker(SKB). 
The Authentication of the protocol was modeled as a 
correspondence relation between two events: UserStarted and 
UserAuthed, which are inserted into the processes of UserA and 
UserB, respectively: 

event UserAuthed(bitstring). 
event UserStarted(bitstring). 
query id: bitstring; inj-event(UserAuthed(id)) = = > inj-event 
(UserStartedfid)). 

We perform the above process in the latest version 1.85 of 
ProVerif and the performance results show that (1) the session key 
in the proposed scheme is secure under Dolev-Yao model; and (2) 
the authentication property is satisfied. 

3.2 Anonymity 

In ProVerif, strong anonymity is defined as follows [22]. 

Let P = new h .Q.R\\ - ■ -\\Rp) be a p-party protocol in its 
canonical form where Ri = new id.new fh.initj.\(new s.mairii) for 
any fe{l, ...,/>}. Vfe{l,. ..,/>}, we build the protocol P R ' as: 

P = new h .QRi\- ■ -\\Rp\Ry), where Ry = new m.init^idy / 
id}.\(new s.mairii{idv / id}). 

The identity idy of the agent playing role Ry is a public name, 
not under any new restriction in P. P is said to preserve strong 
anonymity of i?, if PxiP Rl . Informally, this means that the 
adversary cannot distinguish a situation where the role Ry with 
known identity idy was executed from one in which it was not 
executed at all [23]. Going back to our proposed protocol, strong 
anonymity requires a system in which a user (A or B) with publicly 
known identity IDV executes the protocol to be indistinguishable 
from a system in which it is not present at all. We formally define 
user A and user B as follows: 
let UserA = 

in(kc, xPKTS: bitstring); 

!(new ta: bitstring; 

let QA = mult(ta, P) in 



let FA = mult(ta, xPKTS) in 
let VA = h((pwa, IDA, IDB)) in 
let ZA = senc(h(FA), (IDA, IDB, VA)) in 
out(c, (QA, ZA)); 
in(c, xRA: bitstring)). 
let UserB = 

in(kc, xPKTS: bitstring); 
!(new tb: bitstring; 

in(c, (xIDTS: bitstring, xZTS: bitstring)); 
let xTTS = sdecr(h((pwb, IDTS, IDB)), xZTS) in 
let QB = mult(tb, P) in 
let FB = mult(tb, xPKTS) in 
let VB = h((pwb, IDTS, IDB, xTTS)) in 
let ZB = senc(h(FB), (IDB, VB)) in 
out(c, (QB, ZB)); 
in(c, xRB: bitstring)). 
And formally define TS as follows: 
let TS = 

new d:bitstring; 

!(let F = mult(d, P) in out(kc, F)) 



new TTS: bitstring; 

new rand: bitstring; 

in(c, (xQA: bitstring, xZA: bitstring)); 

let FA = mult(d, xQA) in 

let (xIDA: bitstring, xIDB: bitstring, xVA: bitstring) — 

sdec(h(FA), xZA) in 
let VA = h((pwa, IDA, IDB)) in 
ifVA = xVAthen 

let ZTS = sencr(h((pwb, IDTS, IDB)), rand, TTS) in 

out(c, (IDTS, ZTS)); 

in(c, (xQB: bitstring, xZB: bitstring)); 

let FB = mult(d, xQB) in 

let (xIDB: bitstring, xVB: bitstring) = 

sdec(h(FB), xZB) in 
let VB = h((pwb, IDTS, IDB, TTS)) in 
if VB = xVB then 

let RB = senc(h(FB), (xQA, IDB, IDA, FB)) in 
let RA = senc(h(FA), (xQB, IDA, IDB, FA)) in 
out(c, RB); 
out(c, RA) 
)■ 

For verification, we use randomized symmetric encryption to 
conceal the random integer Tts instead of using the exclusive-or. 
The proposed protocol is formally defined as: 

process !((UserA) | (UserB) | (TS)) 

Anonymity of users A and B is proved separately as follows. In 
order to showy4's anonymity, the proposed protocol is required to 
be observational equivalent to the augmented protocol defined as 
follows: 

process !((UserA) | (UserB) | (TS)) | 

let IDA = IDV in ((UserA) | (UserB) | (TS)) 

The observational equivalence can be translated into the 
following ProVerif bi-process: 

process ! ((UserA) | (UserB) | (TS)) | 
new ID: bitstring; 

let IDA = choice [ID, IDV] in ((UserA) | (UserB) | (TS)) 
The right hand side of the choice represents a system where a 
user with public identity IDV can run the protocol. The proposed 
protocol is simulated using the latest version 1.85 of ProVerif and 
simulation outcome shows that the scheme achieves the anonymity 
for user A . The anonymity of user B can be simulated and shown 
in a similar way. 
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Security Discussions and Performance 
Comparison 

In this section, we discuss some other aspects related to security, 
and then evaluate the performance of the scheme. 

4.1 Discussions 

4.1.1 Offline password guessing attack. Suppose an 
adversary eavesdrops the communication between A, B and TS, 
and gets all the transmitted messages {{Qa,Za},{IDts,Zts}, 
{Qb,Zb},Ra,Rb}' To launch the off-line password guessing 
attack, the adversary may choose a trial password pw^ and 
compute Va =h(pw / i JDaJDb). Even if the adversary 
knows {IDaJDb}, the adversary still cannot compute E/,(f a ) 
(IDa,IDb,Va) and therefore, cannot verify if Za=Ei,(f a ) 
(IDa,IDb,Va ) since the adversary does not know FA = t a F = 
t a dP from QA = t a P orF = dP due to the intractability of the 
Computational DifFie-Hellman (CDH) problem. Therefore, the 
adversary cannot verify if his guessed pw^'is correct or not. 

If the adversary guesses 5's password p\\'B ' , and computes 
T T s ' = Z TS ®h(pw B ' ,ID T s,IDb), V b ' '=h(pw B ' ',ID TS ,W B ,T TS '), 
the adversary still cannot verify if Zb = Ei,(f b )(IDb,Vb) without 
knowing Fg. That is, the adversary cannot determine if his guessed 
pws is correct or not. 

Therefore, the proposed scheme can resist off-line password 
guessing attack. If an adversary launches on-line password 
guessing attack, TS may detect the attack since it needs to verify 
the correctness of Va and V B . 

4.1.2 Perfect forward secrecy. In the proposed scheme, the 
session key is sk = h(t a t),PJDB,ID a), where t a and ?/, are nonces 
chosen by user A and user B, respectively. Even if an adversary 
can get TS's secret keyd, A and B's passwords and identities, the 
adversary cannot compute the previous established session key due 
to the intractability of CDH problem. 

4.1.3 Replay attack. Suppose that an adversary imperson- 
ates A and replays A's message {Qa,Za} to TS, the adversary 
cannot compute sk = h{t a QB ,IDb,ID a) without knowing t a . On 
the other hand, if an adversary impersonates B and replays B's 
message {Qb,Zb\ to TS, Zb cannot pass the authentication 
checking by TS as 7Ysis a new nonce chosen by TS in each new 
session. The same reason applies if an adversary replays TS's 
message {IDjs,Zts} Rb- The replayed message cannot 
pass the verification performed by A and B, as ? a and /f,are new 
nonces chosen by A and B, respectively, and {Fa,Fb} are 
refreshed in each new session. 

4.1.4 Forgery attack and impersonation. In our scheme, if 
an adversary attempts to impersonate A (or B, or TS) and sends 
messages to TS (or B, or A), but these messages cannot pass the 
verification process of TS (or B, or A) as the adversary does not 
know the password or secret key d. 



4.1.5 Man-in-the-middle attack. If an adversary attempts 
to launch the man-in-the-middle attack, the adversary has to 
generate and send the forgery messages to TS and has to pass the 
verification performed by the TS, before the adversary can obtain 
the session key shared with A and another session key shared with 
B. However, it is infeasible as the adversary does not know d or 
pw A or p\v B . 

4.2 Performance Analysis 

Let T, D, H and M be the time for performing a Chebyshev 
polynomial computation, a symmetric encryption/decryption, a 
one-way hash function, and a scalar multiplication on elliptic 
curve, respectively. Li et al. [24] and Li et al. [25] showed that it 
needs 0.0005 second for completing one hash operation, 0.0087 
second for one symmetric encryption/decryption, and 0.063075 
second for one elliptic curve scalar multiplication operation, 
respectively. Kocarev and Lian [26] showed that it needs 0.07 
second for a Chebyshev polynomial computation. As we know, 
these computation costs may vary due to different computational 
configurations and settings. However, in general, the elliptic curve 
scalar multiplication operation and the Chebyshev polynomial 
evaluation are slower than a symmetric key based encryption/ 
decryption or a one-way hash function operation. The perfor- 
mance comparison between the scheme proposed in this paper 
and three other recently proposed ones [16-18] is given in 
Table 1. 

From Table 1 , we can see that all schemes are efficient, but Lai 
et al.'s scheme is vulnerable to the privileged insider attack and off- 
line password guessing attack, while Lee et al.'s scheme is 
vulnerable to man-in-the-middle attack once after the adversary 
gets to know the identities of at least two users, which in practice, is 
feasible. 

Conclusion 

In this paper, we proposed the first anonymous three-party 
password-authenticated key exchange scheme based on elliptic 
curve cryptosystem. Anonymity, authentication and security of the 
proposed scheme are validated using the applied pi calculus based 
formal verification tool ProVerif. The proposed scheme is secure 
and efficient, and is suitable for applications in telecare medical 
information systems. 
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Table 1. Performance comparison. 





Schemes 


User A 


User B 


Server 


Total 


Rounds 


Estimated Time (s) 


Lai et al. [1 6] 


3T+6H 


3T+6H 


2T+8H+2D 


8T+20H+2D 


5 


0.5847 


Zhao et al. [17] 


3T+6H+1 D 


3T+5H+1 D 


2T+8H+2D 


8T+19H+4D 


5 


0.6043 


Lee et al. [18] 


3T+4H 


3T +5H 


2T+7H 


8T +16H 


4 


0.568 


Our scheme 


3M+4H+2D 


3M+5H+2D 


2M+7H+4D 


8M+16H+8D 


4 


0.5822 
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